Several dozen Florida county supervisors of elections and IT workers are briefed on some of the many threats faced by election systems today and ways to guard against them.

Pam Fessler
/ NPR News

Listen

Listening...

/

Originally published on February 3, 2018 11:30 pm

If anyone knows how easily voting can be disrupted, it's a county election supervisor in the state of Florida. That's one reason several dozen of them gathered in Orlando recently to discuss ways to protect against the most recent threat — cyberattacks by Russia or others intent on disrupting U.S. elections.

Marion County elections supervisor Wesley Wilcox said he realizes the threat has evolved far beyond the butterfly ballots and hanging chads that upended the 2000 presidential race. And even beyond the lone hacker.

"It's no longer the teenager in his basement eating Cheetos that's trying to get into my system," said Wilcox. "There are now nation states that are, in a coordinated effort, trying to do something."

CIA Director Mike Pompeo is the latest intelligence official to warn the Russians will likely try to interfere in this year's elections, as they did in 2016. And Florida was among at least 21 states that intelligence agencies say had their election systems probed by Russian hackers during the last election cycle.

There's no evidence that any votes were affected, but everyone at the Orlando meeting was well aware that they're now on the front lines of a serious international conflict.

"The reality is all of us are going to be impacted at some point in time by a cyber incident. All of us," Matt Masterson, chairman of the U.S. Election Assistance Commission, told the group. His agency is working with states and localities to beef up election security.

Masterson displayed a news article about hackers targeting nuclear facilities to drive home the significance of the threat.

"I share this because you're now in good company," he said. "As part of the nation's critical infrastructure, you're now in a group with nuclear facilities."

The Department of Homeland Security last year designated elections as part of the nation's critical infrastructure.

Since 2000, most jurisdictions have replaced their old equipment with more computerized systems, including electronic voting machines, vote tabulators and on-line registration systems. Ryan Macias of the Election Assistance Commission said new technology carries new risks and vulnerabilties.

"We have denial of service, which is a disruption attack, your website going down," he said, noting that if that happens on Election Day, it can shake voter confidence, even if no actual votes have been changed.

He said it's also important to make sure that vendors and contractors are using secure systems. And to screen temporary election workers who might have access to sensitive information and passwords.

Ransomware is another problem. "What happens if somebody takes your data, takes your election night reporting data, and holds it ransom on election night?" Macias asked. "What are you going to do? How are you going to recover from that? What are you backup processes?"

The election supervisors and some of their IT staffers broke into small groups to work out their responses to several hypothetical attacks. They had to figure out whom to call first, how to contain the damage and whom to tell about the incident. Should law enforcement be informed?

"Alright, so it appears one of our employees has been successfully phished," Will Boyett, of the Alachua County elections office, said in presenting one of the scenarios.

Phishing attacks are something most of the people in the room are very familiar with. According to a leaked intelligence report, Russian hackers, posing as a Florida vendor, tried to get local election office workers to open e-mail attachments containing malicious software. So far, there's no evidence anyone did.

It was clear that many of those gathering in Orlando already have protections in place and are well aware of the risks. But some county election offices are extremely small, with no IT staff of their own. Dana Southerland runs elections in Taylor County, which has only 13,000 voters. She said she picked up some useful tips, such as changing passwords and being careful about opening e-mails.

"Making sure that it's not a phishing e-mail or something like that. I had no idea what that was until we started having some of these workshops," she said.

Southerland — who is also President of the Florida State Association of Supervisors of Elections and helped organize the session — said perhaps the most important message is that no one is immune from attack, and they have to be prepared.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

SCOTT SIMON, HOST:

And elsewhere on the show, we're going to talk to a veteran of the CIA who argues the memo's release damages the intelligence community. The director of the CIA, Mike Pompeo, warned this week the Russians will likely try to interfere in this year's elections like they did in 2016. U.S. officials have been taking steps to guard against an attack.

But as NPR's Pam Fessler reports, security gaps remain. She has an exclusive look at one session aimed at closing those gaps.

PAM FESSLER, BYLINE: If any group knows how easily voting can be disrupted, it's election supervisors in the state of Florida, which is why several dozen of them gathered in Orlando recently to figure out how best to deal with the latest threat. It's no longer butterfly ballots and hanging chads, like those that upended the 2000 presidential race, or even a lone troublemaker. Wesley Wilcox, who runs elections in Marion County, says the danger's grown much larger.

WESLEY WILCOX: You know, it's no longer the teenager in his basement eating Cheetos that's trying to get into my system. There are now nation-states that are in a coordinated effort, trying to do something.

FESSLER: In fact, Florida was among at least 21 states that intelligence agencies say had their election systems probed by Russian hackers in 2016. There's no evidence that any votes were changed, but everyone here is hyper-aware that they're now on the front lines of a very serious international conflict.

MATT MASTERSON: The reality is all of us are going to be impacted at some point in time by a cyber incident - all of us.

FESSLER: Matt Masterson is chairman of the U.S. Election Assistance Commission, a federal agency that's working with states and localities to beef up security. Just to make sure everyone here is sufficiently alarmed, he displays a news article about hackers targeting nuclear facilities.

MASTERSON: I share this because you're now in good company. As part of the nation's critical infrastructure, you're now in a group with nuclear facilities.

FESSLER: Which means more security help from the federal government. But it also means their jobs are far more complex. Elections have become increasingly computerized since 2000, with electronic voting machines, vote tabulators, online registration systems. And that new technology means new risks. Ryan Macias of the Election Assistance Commission has a long list.

RYAN MACIAS: So we have denial of service, which is a disruption attack - your website going down.

FESSLER: He says even if hackers don't change any actual votes, they can shake the public's confidence. There are also concerns about vendors and contractors. How do they transmit information like electronic ballots to election offices? Are their systems secure? What about temp workers? Have they been screened?

MACIAS: You have ransomware. What happens if somebody, you know, takes your data - takes your election night reporting data - and holds it ransom on election night? What are you going to do? How are you going to recover from that? What are your backup processes?

FESSLER: And that's what these election officials and IT workers try to figure out as they break into smaller groups and are asked to deal with some hypothetical hacks.

UNIDENTIFIED MAN #2: Well, WannaCry erases everything, so it came up with a no operating system found.

FESSLER: They have to decide if any systems need to be shut down, who has to be called first and if law enforcement should be told.

UNIDENTIFIED MAN #3: We are required to report it to Department of State, right? And then I believe that they would probably take it from there.

UNIDENTIFIED MAN #4: So they're also a stakeholder, then, as well.

FESSLER: Another challenge these officials face is what to do if an election worker mistakenly opens a malicious email.

UNIDENTIFIED MAN #5: All right. So it appears one of our employees has been successfully phished.

FESSLER: It's something everyone here is familiar with. According to a leaked intelligence report, Russian hackers posing as a Florida vendor tried to get election workers to open email attachments containing malicious software. So far, there's no evidence anyone did. It's clear that a lot of people here already have protections in place. But some counties are extremely small with no IT staffs of their own. Dana Southerland runs elections in Taylor County, which has only 13,000 voters. She says she picked up some useful tips.

DANA SOUTHERLAND: It's not always opening something and trying to respond to it but making sure that it's not a phishing email or something like that. I had no idea what that was until we started having some of these workshops. But I think just general office practices like changing passwords - you know, just general basic things.

FESSLER: She says perhaps the most important message is that no one, no matter how small, is immune from attack, and they have to be ready.